Sunday, December 25, 2011

Try your hand at embedded programming with this project

Demand for embedded programming is growing like crazy, so anyone looking for some job security might consider becoming an ace embedded programmer. It helps to have some programming experience, but even raw beginners can get started inexpensively and learn on their own. One of the friendliest introductions to embedded coding is Arduino. Arduino is a popular open embedded hardware and software platform with hundreds of howtos and projects to try out. Today we review the basics of both electronics and Arduino coding in a fun holiday project, Singing Holiday Snowman.

Singing snowman

I'm going to take my old plastic snowman (figure 1) and outfit him to sing holiday songs whenever anyone approaches within a few feet, and to blink some festive red and green LEDs. (Half the fun of Arduino is blinky lights.) You, of course, may use any object you want. If you are new to electronics and embedded coding, give yourself a few days to put this together because it covers a lot of ground. This project gives hands-on experience in these essential fundamentals:

Soldering

Reading simple schematics

Loading and modifying Arduino programs

Figure 1: Plastic snowman before his operation, mute and unlit

Source: Carla Schroder

Prerequisites

The Singing Snowman is modeled on the Halloween Pumpkin project. Beginners should work through the first three of these excellent Arduino tutorials first. These will teach you how to install and use the Arduino software, and get acquainted with tools and Arduino parts. You'll be doing a fair bit of soldering; if you're not a good hand with a soldering iron, find some nothing-to-lose circuit boards and practice. The soldering page links to some good howtos.
Here is a handy hardware list. The first two items are nice kits that supply everything you need for Singing Snowman, plus leftovers for more projects.

MaxBotix EZ1 sonar sensor. This will detect when someone is within a few feet of the snowman, and then it will play songs and animate the blinky lights. I use the MB1010 because it has a narrow sensitivity range to the front. There are three other versions with different sensitivity patterns.

Insulated 22-gauge solid-core wire in red, green, white, and black.

A magnifier and good light. I like magnifier lamps, and magnifier headlamps are nice too.

Wrist grounding strap. Arduino boards and accessories are pretty resilient to electrostatic discharge (ESD), but a strap is cheap insurance in a static-prone environment.

Drill and bits.

If you already have a well-equipped electronics workbench and don't need the two Adafruit kits, this is what you'll need for Singing Snowman:

Plus the other non-kit parts: Adafruit Wave Shield, MaxBotix EZ1, and wiring. Figure 2 shows my workbench with some of the tools and parts for this project.

Figure 2: Workbench for the singing holiday snowman project

Source: Carla Schroder

LEDs and resistors

You always need resistors with LEDs because resistors limit the current flowing to the LED to a safe level. Resistors are everywhere in electronics, and come in a huge variety of sizes and shapes. We are going to use through-hole carbon film resistors. A common beginner question is how do you know which resistors go with your LEDs? You need three pieces of information: The voltage of your power supply (Vs), and the voltage forward (Vf) and drive current (If) of the LED. Then calculate the resistor value (R), in ohms, like this: R = (Vs - Vf)/If.
For example, I have some of these 5mm red LEDs and a 9-volt power supply. So my equation is (9 - 1.85) / 0.02 = 357.5 ohms. The next highest standard resistor is 360 ohms at 1/2 watt, though most electronics gurus will go one higher and choose a 390 ohm resistor for a larger safety margin. A higher ohm value means more resistance and less current. You can damage LEDs with too much current. What does the watts value signify? That's how much power the resistor can handle. For low-power uses like our little blinky LEDS you'll see 1/8, 1/4, and 1/2 watt resistors. Try one of the many online LED calculators until you feel comfortable with your math, like this one.

Figure 3: The color-coding tells us this is a 390 ohm resistor

Source: Carla Schroder

That's for a single LED. We're using 7, so that changes our requirements. Again, there are handy online calculators to help us. The LED series/parallel array wizard calculates four different wiring layouts for you to choose from.
Resistors are color-coded. The color bars on the resistor in Figure 3 tell us this is rated at 390 ohms with 5% tolerance: Orange-White-Brown means 3-9- and one zero, or 390. The gold band = 5%. The tolerance rating is electronics-speak for plus/minus variance from the stated ohms.
Resistor color code tables are all over the place, on the Web and in books.

Assembly

The Wave Shield requires assembly and there is a lot of soldering, so do that first. When it's all together it will plug in nicely on top of your Arduino board. Then you'll solder your speaker and sonar sensor to the Wave board; follow the Halloween Pumpkin howto to see where the wires go. Make their wires long enough to allow you to mount the speaker and sensor where you want them inside your own project.
Use the LED series/parallel array wizard to figure out your LED wiring, and then solder your wiring harness together. Make sure your positive and negative leads are in correct order. The Halloween Pumpkin page says to use a glue gun to fasten the LEDs in place, but I prefer to drill holes that hold them snugly because it's less messy and easy to make changes. Once they're in place, solder the leads to the appropriate analog inputs and ground on your Wave board, and again leave enough slack in your wiring so you can move and easily access the Arduino and Wave Shield.

The clever part about the Halloween Pumpkin project is it saves a lot of code-writing by using an analog input to capture the audio output, which creates a variable-strength signal, and using that to animate the LEDs. Solder analog input #1 to the R7 1.5k resistor on the Wave board.
Plug your SD card into a PC in the usual way, with a card reader or built-in slot, and transfer your audio files to it. They must be in 22KHz 16-bit mono or lesser quality WAV. Then plug the card into the Wave Shield. Now you're ready to connect your PC to the Arduino with a USB cable, fire up the Arduino software, edit your sketch, and load it into the Arduino. One of Arduino's advantages is the speed of iteration -- you can quickly make and test changes in your code. Figure 4 shows my Singing Holiday Snowman in action.

Figure 4: Singing holiday snowman lit up and singing

Source: Carla Schroder

Arduino code

I'm using the Halloween Pumpkin sketch (an Arduino program is called a sketch) with some minor changes. The Arduino programming language is pretty much a slimmed-down C/C++. You will have to make some changes to this sketch, so look for my comments in the sketch which are enclosed in the standard C multi-line comment symbols, /* */. Single-line comments, which start with //, are the original comments from the original sketch author.
We covered a lot of ground in this Crash Course, and hopefully your project blinks and sings just the way you want. If something doesn't work right, and you can't figure it out, go back to the Arduino tutorials and review the basics, and the Arduino forums are a good source of help.

Linux comes with a host based firewall called Netfilter. According to the official project site:

netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.

This Linux based firewall is controlled by the program called iptables to handles filtering for IPv4, and ip6tables handles filtering for IPv6. I strongly recommend that you first read our quick tutorial that explains how to configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux. This post list most common iptables solutions required by a new Linux user to secure his or her Linux operating system from intruders.

IPTABLES Rules Example

Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell. Do not type commands on remote system as it will disconnect your access.

For demonstration purpose I've used RHEL 6.x, but the following command should work with any modern Linux distro.

This is NOT a tutorial on how to set iptables. See tutorial here. It is a quick cheat sheet to common iptables commands.

-v : Display detailed information. This option makes the list command show the interface name, the rule options, and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.

-n : Display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing.

#17: Established Connections and Restaring The Firewall

When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL / Fedora / CentOS Linux. Edit, /etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows:

--connlimit-above 3 : Match if the number of existing connections is above 3.

--connlimit-mask 24 : Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32.

#21: HowTO: Use iptables Like a Pro

For more information about iptables, please see the manual page by typing man iptables from the command line:$ man iptables
You can see the help using the following syntax too:# iptables -h
To see help with specific commands and targets, enter:# iptables -j DROP -h

#21.1: Testing Your Firewall

Find out if ports are open or not, enter:# netstat -tulpn
Find out if tcp port 80 open or not, enter:# netstat -tulpn | grep :80
If port 80 is not open, start the Apache, enter:# service httpd start
Make sure iptables allowing access to the port 80:# iptables -L INPUT -v -n | grep 80
Otherwise open port 80 using the iptables for all users:# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# service iptables save
Use the telnet command to see if firewall allows to connect to port 80:$ telnet www.cyberciti.biz 80
Sample outputs:

I also recommend you install and use sniffer such as tcpdupm and ngrep to test your firewall settings.

Conclusion:

This post only list basic rules for new Linux users. You can create and build more complex rules. This requires good understanding of TCP/IP, Linux kernel tuning via sysctl.conf, and good knowledge of your own setup. Stay tuned for next topics:

Packet capture is one of the most fundamental and powerful ways to do network analysis. You can learn virtually anything about what is going on within a network by intercepting and examining the raw data that crosses it. Modern network analysis tools are able to capture, interpret and describe this network traffic in a human-friendly manner.
tcpdump is one of the original packet capture (or "sniffing") tools that provide these analysis capabilities, and even though it now shares the field with many other utilities, it remains one of the most powerful and flexible.
If you think that tcpdump has been made obsolete by GUI tools like Wireshark, think again. Wireshark is a great application; it's just not the right tool for the job in every situation. As a refined, universal, lightweight command-line utility—much like cat, less and hexdump—tcpdump satisfies a different type of need.
One of tcpdump's greatest strengths is its convenience. It uses a "one-off-command" approach that lends itself to quick, on-the-spot answers. It works through an SSH session, doesn't need X and is more likely to be there when you need it. And, because it uses standard command-line conventions (such as writing to STDOUT, which can be redirected), tcpdump can be used in all sorts of creative, interesting and extremely useful ways.
In this article, I introduce some of the basics of packet capture and provide a breakdown of tcpdump syntax and usage. I show how to use tcpdump to zero in on specific packets and reveal the useful information they contain. I provide some real-world examples of how tcpdump can help put the details of what's happening on your network at your fingertips, and why tcpdump is still a must-have in any admin's toolbox.

Essential Concepts

Before you can begin to master tcpdump, you should understand some of the fundamentals that apply to using all packet sniffers:

You can capture only the packets that your system receives. On a typical switched network, that excludes unicast traffic between other hosts (packets not sent to or from your machine).

You can capture only packets addressed to your system, unless the network interface is in promiscuous mode.

It is assumed that you're interested in seeing more than just your local traffic, so tcpdump turns on promiscuous mode automatically (which requires root privileges). But, in order for your network card to receive the packets in the first place, you still have to be where the traffic is, so to speak.

Anatomy of a tcpdump Command

A tcpdump command consists of two parts: a set of options followed by a filter expression (Figure 1). Figure 1. Example tcpdump Command
The expression identifies which packets to capture, and the options define, in part, how those packets are displayed as well as other aspects of program behavior.

Options

tcpdump options follow the standard command-line flag/switch syntax conventions. Some flags accept a parameter, such as -i to specify the capture interface, while others are standalone switches and can be clustered, such as -v to increase verbosity and -n to turn off name resolution.
The man page for tcpdump lists all available options, but here are a few of the noteworthy ones:

-i interface: interface to listen on.

-v, -vv, -vvv: more verbose.

-q: less verbose.

-e: print link-level (Ethernet) headers.

-N: display relative hostnames.

-t: don't print timestamps.

-n: disable name lookups.

-s0 (or -s 0): use the max "snaplen"—capture full packets (default in recent versions of tcpdump).

None of these are required. User-supplied options simply modify the default program behavior, which is to capture from the first interface, and then print descriptions of matching packets on the screen in a single-line format.

Filter Expression

The filter expression is the Boolean (true or false) criteria for "matching" packets. All packets that do not match the expression are ignored.
The filter expression syntax is robust and flexible. It consists primarily of keywords called primitives, which represent various packet-matching qualifiers, such as protocol, address, port and direction. These can be chained together with and/or, grouped and nested with parentheses, and negated with not to achieve virtually any criteria.
Because the primitives have friendly names and do a lot of the heavy lifting, filter expressions are generally self-explanatory and easy to read and construct. The syntax is fully described in the pcap-filter man page, but here are a few example filter expressions:

tcp

port 25 and not host 10.0.0.3

icmp or arp or udp

vlan 3 and ether src host aa:bb:cc:dd:ee:ff

arp or udp port 53

icmp and \(dst host mrorange or dst host mrbrown\)

Like the options, filter expressions are not required. An empty filter expression simply matches all packets.

Understanding tcpdump Output

How much sense the output makes depends on how well you understand the protocols in question. tcpdump tailors its output to match the protocol(s) of the given packet.
For example, ARP packets are displayed like this when tcpdump is called with -t and -n (timestamps and name lookups turned off):

ARP is a simple protocol used to resolve IPs into MAC addresses. As you can see above, tcpdump describes these packets in a correspondingly simple format. DNS packets, on the other hand, are displayed completely different:

This may seem cryptic at first, but it makes more sense when you understand how protocol layers work. DNS is a more complicated protocol than ARP to begin with, but it also operates on a higher layer. This means it runs over top of other lower-level protocols, which also are displayed in the output.
Unlike ARP, which is a non-routable, layer-3 protocol, DNS is an Internet-wide protocol. It relies on UDP and IP to carry and route it across the Internet, which makes it a layer-5 protocol (UDP is layer-4, and IP is layer-3).
The underlying UDP/IP information, consisting of the source and destination IP/port, is displayed on the left side of the colon, followed by the remaining DNS-specific information on the right.
Even though this DNS information still is displayed in a highly condensed format, you should be able to recognize the essential elements if you know the basics of DNS. The first packet is a query for linuxjournal.com, and the second packet is an answer, giving the address 76.74.252.198. These are the kind of packets that are generated from simple DNS lookups.
See the "OUTPUT FORMAT" section of the tcpdump man page for complete descriptions of all the supported protocol-specific output formats. Some protocols are better served than others by their output format, but I've found that tcpdump does a pretty good job in general of showing the most useful information about a given protocol.

Capture Files

In addition to its normal behavior of printing packet descriptions to the screen, tcpdump also supports a mode of operation where it writes packets to a file instead. This mode is activated when the -w option is used to specify an output capture file.
When writing to a file, tcpdump uses a completely different format from when it writes to the screen. When writing to the screen, formatted text descriptions of packets are printed. When writing to a file, the raw packets are recorded as is, without analysis.
Instead of doing a live capture, tcpdump also can read from an existing capture file as input with the -r option. Because tcpdump capture files use the universally supported "pcap" format, they also can be opened by other applications, including Wireshark.
This gives you the option to capture packets with tcpdump on one host, but perform analysis on a different host by transferring and loading the capture file. This lets you use Wireshark on your local workstation without having to attach it to the network and location you need to capture from.

Analyzing TCP-Based Application Protocols

tcpdump is a packet-based analyzer, and it works great for connectionless, packet-based protocols like IP, UDP, DHCP, DNS and ICMP. However, it cannot directly analyze "connection-oriented" protocols, such as HTTP, SMTP and IMAP, because they work completely different.
They do not have the concept of "packets". Instead, they operate over the stream-based connections of TCP, which provide an abstracted communications layer. These application protocols are really more like interactive console programs than packet-based network protocols.
TCP transparently handles all of the underlying details required to provide these reliable, end-to-end, session-style connections. This includes encapsulating the stream-based data into packets (called segments) that can be sent across the network. All of these details are hidden below the application layer.
In order to capture TCP-based application protocols, an extra step is needed beyond capturing packets. Because each TCP segment is only a slice of application data, it can't be used individually to obtain any meaningful information. You first must reassemble TCP sessions (or flows) from the combined sets of individual segments/packets. The application protocol data is contained directly within the sessions.
tcpdump doesn't have an option to assemble TCP sessions from packets directly, but you can "fake" it by using what I call "the tcpdump strings trick".

The tcpdump Strings Trick

Usually when I'm capturing traffic, it's just for the purpose of casual analysis. The data doesn't need to be perfect if it shows me what I'm looking for and helps me gain some insight.
In these cases, speed and convenience reign supreme. The following trick is along these lines and is one of my favorite tcpdump techniques. It works because:

Put it all together, and you get a command that dumps real-time HTTP session data:

tcpdump -l -s0 -w - tcp dst port 80 | strings

The -l option above turns on line buffering, which makes sure data gets printed to the screen right away.
What is happening here is tcpdump is printing the raw, binary data to the screen. This uses a twist on the -w option where the special filename - writes to STDOUT instead of a file. Normally, doing this would display all kinds of gibberish, but that's where the strings command comes in—it allows only data recognized as text through to the screen.
There are few caveats to be aware of. First, data from multiple sessions received simultaneously is displayed simultaneously, clobbering your output. The more refined you make the filter expression, the less of a problem this will be. You also should run separate commands (in separate shells) for the client and server side of a session:

Also, you should expect to see a few gibberish characters here and there whenever a sequence of binary data also happens to look like text characters. You can cut down on this by increasing min-len (see the strings man page).
This trick works just as well for other text-based protocols.

HTTP and SMTP Analysis

Using the strings trick in the previous section, you can capture HTTP data even though tcpdump doesn't actually understand anything about it. You then can "analyze" it further in any number of ways.
If you wanted to see all the Web sites being accessed by "davepc" in real time, for example, you could run this command on the firewall (assume the internal interface is eth1):

In this example, I'm using a simple grep command to display only lines with GET or Host. These strings show up in HTTP requests and together show the URLs being accessed.
This works just as well for SMTP. You could run this on your mail server to watch e-mail senders and recipients:

These are just a few silly examples to illustrate what's possible. You obviously could take it beyond grep. You could go as far as to write a Perl script to do all sorts of sophisticated things. You probably wouldn't take that too far, however, because at that point, there are better tools that actually are designed to do that sort of thing.
The real value of tcpdump is the ability to do these kinds of things interactively and on a whim. It's the power to look inside any aspect of your network whenever you want without a lot of effort.

Debugging Routes and VPN Links

tcpdump is really handy when debugging VPNs and other network connections by showing where packets are showing up and where they aren't. Let's say you've set up a standard routable network-to-network VPN between 10.0.50.0/24 and 192.168.5.0/24 (Figure 2). Figure 2. Example VPN Topology
If it's operating properly, hosts from either network should be able to ping one another. However, if you are not getting replies when pinging host D from host A, for instance, you can use tcpdump to zero in on exactly where the breakdown is occurring:

tcpdump -tn icmp and host 10.0.50.2

In this example, during a ping from 10.0.50.2 to 192.168.5.38, each round trip should show up as a pair of packets like the following, regardless of from which of the four systems the tcpdump command is run:

If the request packets make it to host C (the remote gateway) but not to D, this indicates that the VPN itself is working, but there could be a routing problem. If host D receives the request but doesn't generate a reply, it probably has ICMP blocked. If it does generate a reply but it doesn't make it back to C, then D might not have the right gateway configured to get back to 10.0.50.0/24.
Using tcpdump, you can follow the ping through all eight possible points of failure as it makes its way across the network and back again.

Conclusion

I hope this article has piqued your interest in tcpdump and given you some new ideas. Hopefully, you also enjoyed the examples that barely scratch the surface of what's possible.
Besides its many built-in features and options, as I showed in several examples, tcpdump can be used as a packet-data conduit by piping into other commands to expand the possibilities further—even if you do manage to exhaust its extensive "advertised" capabilities. The ways to use tcpdump are limited only by your imagination.
tcpdump also is an incredible learning tool. There is no better way to learn how networks and protocols work than from watching their actual packets.
Don't forget to check out the tcpdump and pcap-filter man pages for additional details and information.

The tcpdump/libpcap Legacy

tcpdump has been the de facto packet capture tool for the past 25 years. It really did spawn the whole genre of network utilities based on sniffing and analyzing packets. Prior to tcpdump, packet capture had such high processing demands that it was largely impractical. tcpdump introduced some key innovations and optimizations that helped make packet capture more viable, both for regular systems and for networks with a lot of traffic.
The utilities that came along afterward not only followed tcpdump's lead, but also directly incorporated its packet capture functionality. This was possible because very early on, tcpdump's authors decided to move the packet capture code into a separate portable library called libpcap.
Wireshark, ntop, snort, iftop, ngrep and hundreds of other applications and utilities available today are all based on libpcap. Even most packet capture applications for Windows are based on a port of libpcap called WinPcap.

In my previous article describing the troubleshooting steps for faulty TCP/IP connections, I mentioned several commands such as ping, traceroute, and ipconfig that could assist you in pinpointing problematic network components. These commands and several others like them are commonly referred to as TCP/IP utilities because they are tools that let you perform diagnostics and queries on the network which you are examining.
To compliment Part 1 of this two-part series, Part 2 is a reference list of the TCP/IP utilities which will describe the intended uses and options for each. These tools natively run in command line interface (CLI) environments (or in Linux and Unix, “shell prompts”), but as several entries in this blog show, there are a great many graphical utilities available that let you use the TCP/IP utilities (and view their output) in graphical format. In this article, however, I will stick with the default CLI usage and functionality.
When working in a CLI environment in Windows, I prefer to use Windows PowerShell as opposed to the default Windows command prompt (cmd.exe).
Remember: the best way to learn and understand these tools is to practice and experiment with them. Also bear in mind that knowledge of these commands is essential during ethical hacking efforts.Jump to:

Arp

The arp command lets you view and manage the Address Resolution Protocol (ARP) cache. In other words, arp displays and modifies the IP address-to-MAC address translation tables used by the ARP protocol. In order for the arp command to be meaningful and helpful, you need to first understand the purpose of the Address Resolution Protocol. As DNS translates between host names and IP addresses, ARP translates between MAC addresses (Layer 2) and IP addresses (Layer 3). When a host attempts to communicate with another host on the same subnet, it must first know the destination host’s MAC address. If there is no entry in the sending host’s ARP cache for the destination MAC address, ARP sends out a broadcast (to all hosts in the subnet) asking the host with the target IP address to send back its MAC address. These IP-to-MAC mappings build up in the ARP cache which the arp command lets you view and modify.
Be aware that the ARP cache is a tempting target for hackers. It can be vulnerable to cache poisoning attacks in which false entries are inserted into the ARP cache, causing the compromised host to unknowingly send data (often unencrypted) to the attacker.
The default arp command syntax in Windows is:arp -s inet_addr eth_addr [if_addr]arp -d inet_addr [if_addr]arp -a [inet_addr] [-N if_addr] [-v]

Arp command switches (Windows)

Description

arp -a or arp -g

Displays both the IP and MAC addresses in the ARP cache for all network interfaces using ARP.

arp -d [inet_addr]

Deletes all entries from the ARP cache which causes ARP queries for local network hosts to be re-processed. For example, arp -d 10.57.10.32.

arp -N [if_addr]

Displays the ARP entries for the network interface specified by [if_addr]. Used in conjunction with -a or -g. For example: arp -a -N 192.168.20.15, where 192.168.20.15 is the IP address of your (or one of your) network interfaces.

arp -s

Adds a static (“permanent”) entry to the ARP cache. This command is a countermeasure to ARP spoofing attacks. For example, this command adds a static entry: arp -s 157.55.85.212 00-aa-00-62-c6-09.

arp -v

Displays current ARP entries in verbose mode. All invalid entries and entries on the loopback interface will be shown. Used in conjunction with arp -a or arp -g.

[eth_addr]

Specifies a physical (MAC) address.

[if_addr]

If present, this specifies the Internet address of the interface on your computer whose address translation table should be modified. Useful if your computer has multiple network interfaces. If not present, the first applicable interface will be used.

[inet_addr]

Specifies an IP address entry in the ARP cache. Used in conjunction with -a or -g. For example, the command arp -a 192.168.10.20 will query the cache to display the MAC address of host 192.168. 10.20.

Arp command switches (Linux)

Description

Shows the entries of the specified hosts. If the [hostname] parameter is not used, all entries will be displayed.

arp -d [ip_addr]or –delete [ip_addr]

Removes the ARP cache entry for the specified host. arp -d * will delete all hosts in the cache (note the space between -d and *).

arp -D or–use-device

Uses the hardware address associated with the specified interface.

arp -e

Shows the entries in default (Linux) style.

arp -f [filename] or–file [filename]

Similar to the -s option, only this time the address info is taken from file that [filename] set up. The name of the data file is very often /etc/ethers, but this is not official. If no [filename] is specified, /etc/ethers is used as default.

arp -H or –hw-type [type] or -t [type]

When setting or reading the ARP cache, this optional parameter tells arp which class of entries it should check for. The default value of this parameter is ether (i.e. hardware code 0×01 for IEEE 802.3 10Mbps Ethernet).

Hostname command switches (Linux)

Description

hostname [hostname]

Sets the host name.

hostname -a or –alias

Displays the alias name of the host (if used).

hostname -A or –all-fqdns

Displays all FQDNs of the machine. This option enumerates all configured network addresses on all configured network interfaces, and translates them to DNS domain names. Addresses that cannot be translated (i.e. because they do not have an appropriate reverse DNS entry) are skipped.

hostname -b or –boot

Always set a hostname; this allows the file specified by -F to be non-existant or empty, in which case the default hostname localhost will be used if none is yet set.

hostname -d or –domain

Displays the DNS domain name.

hostname -f or –fqdn or –long

Displays the fully qualified domain name.

hostname -F [file] or –file [file]

Consults [file] for host name.

hostname -h or –help

Displays a help message.

hostname -i or–ip-addresses

Displays the host IP address.

hostname -I or –all-ip-addresses

Displays all network addresses of the host. This option enumerates all configured addresses on all network interfaces except the loopback interface and IPv6 link-local addresses. Unlike option -i, this option does not depend on name resolution.

hostname -s or –short

Trims domain information from the display output.

hostname -v or –verbose

Verbose mode

hostname -V or –version

Displays the version information and then exits.

hostname -y or –yp or -nis [domain name]

Displays the NIS domain name or sets a new NIS domain name with [domain name].

Ifconfig

The ifconfig command displays and configures the parameters for host network interfaces (e.g., IP address, subnet mask and default gateway) on Linux and Unix. Its Windows counterpart is ipconfig. When used without arguments, ifconfig displays the current configurations for all network interfaces (such as your NIC, wireless adapter, and loopback). Interface names are numbered starting at zero: eth0, eth1, wlan0, wlan1, etc.
The standard ifconfig command syntax is as follows:ifconfig [interface or address_family type] options | address …

Ifconfig command switches

Description

ifconfig

Displays details on all network interfaces.

ifconfig [interface]

The name of the interface. This is usually a driver name followed by a unit number; for example, eth0 for the first Ethernet interface. Eth0 will usually be a PC’s primary network interface card (NIC).

Enables or disables all-multicast mode If selected, all multicast packets on the network will be received by the interface. This enables or disables the sending of incoming frames to the kernel’s network layer.

ifconfig [interface] arp or -arp

Enables or disables the use of the ARP protocol on this [interface].

ifconfig [interface] broadcast [address]

Specifies the address to use to use for broadcast transmissions. By default, the broadcast address for a subnet is the IP address with all ones in the host portion of the subnet address (i.e., a.b.c.255 for a /24 subnet).

ifconfig [interface] del [address/prefixlength]

Remove an IPv6 address from the [interface].

ifconfig [interface] down

Disables the [interface].

ifconfig [interface] hw [class] [address]

Sets the hardware (MAC) address of this [interface], if the device driver supports this operation. The keyword must be followed by the name of the hardware class and the printable ASCII equivalent of the hardware address. Hardware classes currently supported include ether (Ethernet), ax25 (AMPR AX.25), ARCnet and netrom (AMPR NET/ROM).

Sets physical port or medium type. Examples of [type] are 10baseT, 10base2, and AUI. A [type] value of auto will tell the interface driver to automatically determine the media type (driver support for this command varies).

Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries. Similar to arp -a.

ipconfig /flushdns

Flushes (deletes) the contents of the DNS client resolver cache. Similar to arp -d.

ipconfig /registerdns

Initiates dynamic registration for the DNS names and IP addresses that are configured at a computer.

ipconfig /release and /release6 [adapter]

Releases (deletes) the dynamic (from DHCP) IPv4 or IPv6 parameters of all network interfaces (if no specific adapter name is specified. For example, ipconfig /release LO* releases only those interfaces starting with ‘Lo’).

ipconfig /renew and /renew6 [adapter]

Initiates communication with a DHCP server and renews the dynamic IPv4 or IPv6 parameters of all or some network interfaces. For example, ipconfig /renew LO* renews all interfaces starting with ‘Lo’.

ipconfig /setclassid and /setclassid6 [adapter]

Modifies the DHCP or DHCPv6 class id. Classes can be vendor-defined or user-defined and are implemented by the DHCP administrator when certain clients need different default gateway or DNS server parameters.

ipconfig /showclassid and /showclassid6 [adapter]

Displays the DHCP or DHCPv6 class id.

Nbtstat

Nbtstat is a Windows tool used to troubleshoot NetBIOS over TCP/IP name resolution problems. NetBIOS over TCP/IP is a networking protocol that allows legacy computer applications relying on the NetBIOS to be used on modern TCP/IP networks. Therefore, it is unlikely that NetBIOS over TCP/IP will be utilized within your network nowadays.Nbtstat can check the state of current NetBIOS over TCP/IP (NetBT) connections, view and update the NetBIOS name cache, and determine the names registered with Windows Internet Name Service (WINS). If you are interested, nbtstat output is described on TechNet.
Do not confuse this command with netstat.
The standard nbtstat command syntax is:nbtstat [ [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [interval] ]

nbtstat command switches

Description

nbtstat -a [remote name]

Returns the NetBIOS name table and MAC address of the address card for the computer name specified.

nbtstat -A [remote IP address]

Lists the same information as nbtstat -a when given the target’s IP address.

nbtstat -c

Displays the contents of the NetBIOS name cache, the table of NetBIOS names, and their resolved IP addresses.

nbtstat -n

Displays the NetBIOS name table of the local computer. The status of ‘registered’ indicates that the name is registered either by broadcast or with a WINS server.

nbtstat -r

Lists names resolved by broadcast and via WINS.

nbtstat -R

Purges and reloads the remote cache name table.

nbtstat -RR

Releases and then refreshes NetBIOS names for the local computer that is registered with WINS servers.

nbtstat -s

Displays NetBIOS client and server sessions, attempting to convert the destination IP address to a name.

Netstat

The netstat command displays the TCP/IP protocol statistics and active connections on the computer on which it was executed. Netstat is particularly useful when you suspect that there may be unauthorized connections to your computer (such as when a possible malware has occurred).Two popular graphical viewers for netstat are TCPEye and CurrPorts.
Netstat can be used to detect SYN floods that may be affecting a host. If you run a netstat command such as netstat -n -p TCP and you see many connections in the SYN_RECV state, you know some anomaly is occurring.
Do not confuse this command with nbtstat.
The standard netstat command syntax in Windows is:netstat [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval]

Netstat command switches (Windows)

Description

netstat

Shows the active connections for all outbound TCP/IP connections.

netstat -a

Displays a more comprehensive list of active connections and the ports on which the computer is listening (includes UDP).

netstat -b

Displays the executable involved in creating each connection or listening port.

netstat -e

Displays Ethernet-related statistics.

netstat -f

Displays Fully Qualified Domain Names (FQDN) for foreign addresses. With this option you can check if your PC is connected to suspicious websites.

netstat -n

Displays active TCP connections; addresses and port numbers are expressed numerically; no attempt is made to determine host names.

netstat -o

Displays the owning process ID (PID) associated with each connection. You can look up a PID with the Windows Task Manager.

netstat -p [proto]

Displays connection details for only a certain protocol, where [proto] can be TCP, UDP, TCPv6, or UDPv6. With the additional -s option, [proto] can be IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.

Netstat command switches (Linux)

Description

Specifies the address families for which connections are to be shown. [family] is a comma separated list of address family keywords like inet, unix, ipx, ax25, netrom, and ddp. This has the same effect as using the –inet, –unix (-x), –ipx, –ax25, –netrom, and –ddp options.

netstat -c or –continuous

Configures netstat to refresh the displayed information every second until stopped.

netstat -C

Prints routing information from the route cache.

netstat -e or –extend

Displays an increased level of detail. Can be entered as twice (as –ee) for maximum details.

Prints the SELinux context if SELinux is enabled. On hosts running SELinux, all processes and files are labeled in a way that represents security-relevant information. This information is called the SELinux context.

.
Some common netstat commands are: netstat -natp, netstat -t -listening, netstat -ntu, netstat -nap, netstat -ntulp, netstat -rne, and netstat -anp | grep [port_number]. Using the table above you can figure out what each of these commands does.

Nslookup, Dig, and Host

NSlookup (“name server lookup”) is a DNS query tool. This means that nslookup checks DNS records, domain host aliases, domain host services, and operating system information by querying DNS servers. Nslookup can also be used to perform DNS zone transfers and is useful when performing network footprinting during ethical hacking efforts. It has two modes: interactive and noninteractive. Interactive mode queries DNS servers for details about various hosts and domains. Noninteractive mode prints only the name and requested information for a host or domain.
Although it is still available by default on Windows and Linux/Unix, nslookup has been deprecated and further use is discouraged. It has effectively been replaced by its successors, the dig (Domain Information Groper) and host utilities. Unlike nslookup, they are not available natively on Windows and must be installed manually. There is a host command in Windows PowerShell but that is something different. You can install the Windows versions of dig and host by extracting them from BIND for Windows available here.Dig is basically an improved version of nslookup. Host enables quick lookups of DNS server information and is used to find 1) the IP address of a given domain name and 2) the domain name of a given IP address.

Nslookup command switches (Windows)

Description

C:\>nslookup

Enters interactive mode; prompt changes from C:> to >.

C:\>nslookup – [DNSserver]

Enters interactive mode using a particular DNS server.

C:\>nslookup [hostname] or [IPaddress]

Queries DNS for the IP address of a particular host or vice versa.

C:\>nslookup [hostname or IPaddress] [DNSserver]

Queries DNS for the IP address of a particular host (or vice versa) using a particular DNS server.

Lists all DNS records for example.com. Can be used to launch a zone transfer when connected to the SOA for a DNS zone. These transfers can be blocked in the DNS properties of the server.

>ls -t [type] [example.com]

Lists records of the given RFC record [type] (e.g., A ,CNAME, MX, NS, PTR, etc.)

>lserver

Changes the default server to the specified DNS domain.

>root

Changes the default server to the server for the root of the DNS domain name space.

>server

Changes the default server to the specified DNS domain.

>set

Changes configuration settings that affect how lookups function.

>set all

Prints the current values of the configuration settings.

>set class=X

Changes the query class. The class specifies the protocol group of the information.

>set [no]d2

Turns exhaustive Debugging Mode on or off. All fields of every packet are printed.

>set [no]debug

Turns Debugging Mode on or off.

>set [no]defname

Appends the default DNS domain name to a single component lookup request. A single component is a component that contains no periods.

>set domain=NAME

Changes the default DNS domain name to the name specified.

>set ignore

Ignores packet truncation errors.

>set ixfrver=X

Current version to use in IXFR transfer request.

>set [no]msxfr

Use MS fast zone transfer.

>set port

Changes the default TCP/UDP DNS name server port to the value specified.

>set querytype=X

Changes the resource record type for the query.

>set [no]recurse

Tells the DNS name server to query other servers if it does not have the information.

>set retry=X

Sets the number of retries to X.

>set root=NAME

Changes the name of the root server used for queries.

>set [no]search

Appends the DNS domain names in the DNS domain search list to the request until an answer is received. This applies when the set and the lookup request contain at least one period, but do not end with a trailing period.

>set srchlist=N1[/N2/.../N6]

Changes the default DNS domain name to N1 and search list.

>set timeout=X

Changes the initial number of seconds to wait for a reply to a request.

>set type=X

Changes the resource record type for the query.

>set [no]vc

Specifies to use or not use a virtual circuit when sending requests to the server.

Nslookup command switches (Linux)

Description

$ nslookup

Enters interactive mode; prompt changes from $ to >.

$ nslookup [hostname or IP address]

Queries DNS for the IP address of a particular host or vice versa.

>exit

Exits nslookup.

>host [server]

Looks up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.

>server [domain] or lserver [domain]

Changes the default server to [domain]; lserver uses the initial server to look up information about [domain], while server uses the current default server. If an authoritative answer can’t be found, the names of servers that might have the answer are returned.

>set

This command is used to change state information that affects the lookups.

>set all

Prints the current values of the frequently used options to set. Information about the current default server and host is also printed.

Turn on or off the display of the full response packet and any intermediate response packets when searching.
(Default = nodebug; abbreviation = [no]deb)

>set d2 or nod2

Turns debugging mode on or off. This displays more about what nslookup is doing.
(Default = nod2)

>set domain=[name]

Sets the search list to [name].

>set search or nosearch

If the lookup request contains at least one period but doesn’t end with a trailing period, appends the domain names in the domain search list to the request until an answer is received.
(Default = search)

Dig command switches

Description

dig

Displays the DNS root servers and the the IP address of your host’s DNS server.

@[server]

The name or IP address of the DNS server to query. If no [server]argument is provided, dig consults /etc/resolv.conf and queries the DNS server(s) listed there. The reply from the DNS server that responds is displayed in the command output.

[name]

The domain name to query.

[type]

Indicates which type of query is required, such as ANY, A, MX, SIG, etc. If no [type] argument is supplied, dig will perform a lookup for an A record.

dig -b [address]

Sets the source IP address of the DNS query to [address]. This must be a valid address on one of the host’s network interfaces or “0.0.0.0″ or “::”. An optional port may be specified by appending “#”.

dig -c [class]

Sets the query [class] (described in the nslookup for Linux options above). Default is IN (Internet).

dig -f [filename]

Configures dig to process the list of lookup requests in file specified.

dig -h

Prints a brief summary of dig’s command-line arguments and options.

dig -k [TSIG_key_file]

Signs the DNS queries sent by dig and their responses using transaction signatures (TSIG).

dig -m

Enables memory usage debugging.

dig -p [portnumber]

Configures the port number for dig to query. Of course, the default port is 53 for DNS.

dig -q [name]

Sets the query name to the [name] parameter value specified.

dig -t [type]

Sets the [type] of query to be performed. Default is A.

dig -x [addr]

Used for reverse lookups (IP address to host name, rather than vice versa).

dig -y[hmac:]name:key]

Signs DNS queries by specifying the TSIG key itself on the command line. hmac is the type of the TSIG, default HMAC-MD5, [name] is the name of the TSIG key and [key] is the actual key. The key is a base-64 encoded string, typically generated by dnssec-keygen.

dig +aaflagor +noaaflag

A synonym for +[no]aaonly.

dig +aaonly or +noaaonly

Sets or removes the “aa” flag in the query.

dig +additional or +noadditional

Displays or does not display the additional section of a reply. The default is to display it.

dig +adflag or +noadflag

Set or removes the AD (authentic data) bit in the query. This requests the DNS server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server. AD=1 indicates that all records have been validated as secure and the answer is not from an OPT-OUT range. AD=0 indicates that some part of the answer was insecure or not validated.

dig +all or +noall

Sets or clears all display flags.

dig +answer or +noanswer

Displays or does not display the answer section of a reply. The default is to display it.

dig +authority or +noauthority

Displays or does not display the authority section of a reply. The default is to display it.

dig +besteffort or +nobesteffort

Attempts to display the contents of messages which are malformed. The default is to not display malformed answers.

dig +bufsize=[B]

Sets the UDP message buffer size advertised using EDNS0 to [B] bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause an EDNS query to be sent.

dig +edns=# or +noedns

Specifies the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will cause a EDNS query to be sent. +noedns clears the remembered EDNS version.

dig +cdflag or +nocdflag

Sets or removes the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.

dig +cl or +nocl

Display or does not display the CLASS when printing the record.

dig +cmd or +nocmd

Toggles or untoggles the printing of the initial comment in the output identifying the version of dig and the query options that have been applied. This comment is printed by default.

dig +comments or +nocomments

Toggle or untoggles the display of comment lines in the output. The default is to print comments.

dig +defname or +nodefname

Deprecated; treated as a synonym for +[no]search.

dig +domainname=[somename]

Set the search list to contain the single domain [somename], as if specified in a domain directive in /etc/resolv.conf, and enable search list processing as if the +search option were given.

dig +dnssec or +nodnssec

Requests DNSSEC records be sent or not sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.

dig +fail or +nofail

Try or do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior.

dig +identify or +noidentify

Shows or does not show the IP address and port number that supplied the answer when the +short option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.

dig +ignore or +noignore

Ignores or does not ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.

dig +multiline or +nomultiline

Prints or does not print records like the SOA records in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the dig output.

dig +ndots=[D]

Sets the number of dots that have to appear in name to [D] for it to be considered absolute. The default value is that defined using the ndots statement in /etc/resolv.conf, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the search or domain directive in /etc/resolv.conf.

dig +nsid or +nonsid

Include or exclude an EDNS name server ID request when sending a query.

dig +nssearch or +nonssearch

When this option is set, dig attempts to 1) find the authoritative name servers for the zone containing the name being looked up and 2) display the SOA record that each name server has for the zone.

dig +onesoa or +noonesoa

Print only one (starting) SOA record when performing an AXFR. The default is to print both the starting and ending SOA records.

dig +qr or +noqr

Prints or does not print the query as it is sent. By default, the query is not printed.

dig +question or +noquestion

Prints or does not print the question section of a query when an answer is returned. The default is to print the question section as a comment.

dig +retry=[T]

Sets the number of times to retry UDP queries to server to [T] instead of the default, 2. Unlike +tries, this does not include the initial query.

dig +search or +nosearch

Uses or does not use the search list defined by the searchlist or domain directive in resolv.conf (if any). The search list is not used by default.

dig +short or +noshort

Provides or does not provide a terse (brief) answer. The default is to print the answer in a verbose form.

dig +showsearch or +noshowsearch

Performs or does not perform a search showing intermediate results.

dig +sigchase or +nosigchase

Chases or does not chase DNSSEC signature chains. Requires dig be compiled with -DDIG_SIGCHASE.

dig +stats or +nostats

This query option toggles or untoggles the printing of statistics; i.e., when the query was made, the size of the reply, and so on. The default behavior is to print the query statistics.

dig +tcp or +notcp

Uses or does not use TCP when querying name servers. The default behavior is to use UDP unless an AXFR (full) or IXFR (incremental) query is requested, in which case a TCP connection is used.

dig +time=[T]

Sets the timeout for a query to [T] seconds. The default timeout is 5 seconds. An attempt to set [T] to less than 1 will result in a query timeout of 1 second being applied.

dig +ttlid or +nottlid

Displays or does not display the TTL when printing the record.

dig +topdown or +notopdown

When chasing DNSSEC signature chains, performs or does not perform a top-down validation. Requires dig be compiled with -DDIG_SIGCHASE.

dig +trace or +notrace

Toggle or untoggles tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled, dig makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup

dig +tries=[T]

Sets the number of times to try UDP queries to server to [T] instead of the default, 3. If [T] is less than or equal to zero, the number of tries is silently rounded up to 1.

dig +trusted-key=####

Specifies a file containing trusted keys to be used with +sigchase. Each DNSKEY record must be on its own line. If not specified, dig will look for /etc/trusted-key.key, then trusted-key.key in the current directory. Requires dig be compiled with -DDIG_SIGCHASE.

dig +vc or +novc

Uses or does not use TCP when querying name servers. This alternate syntax to +[no]tcp is provided for backwards compatibility. The “vc” stands for virtual circuit.

Host command switches

Description

Equivalent to setting the -v option and asking host to make a query of [type] ANY.

host -c [class]

Specifies the DNS query class (described in the nslookup for Linux options above). Default is IN (Internet).

host -C [zone_name]

Attempts to display the SOA records for [zone_name] from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone.

host -d or -v

Enables verbose output.

host -i

Specifies that reverse lookups of IPv6 addresses should use the IP6.INT domain as defined in RFC 1886. The default is to use IP6.ARPA.

host -l [zone_name]

Enables list mode which makes host perform a zone transfer for [zone_name]. Transfer the zone printing out the NS, PTR and address records (A/AAAA). If combined with -a all records will be printed.

host -m [zone_name]

Used to set the memory usage debugging flags [record], [usage] and [trace].

host -N [name]

Sets the number of dots that have to be in name for it to be considered absolute. The default value is that defined using the ndots statement in /etc/resolv.conf, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the search or domain directive in /etc/resolv.conf.

host -r [name]

Specifies non-recursive queries. Setting this option clears the RD (recursion desired) bit in the query which host makes. This should mean that the name server receiving the query will not attempt to resolve [name]. The -r option enables host to mimic the behavior of a DNS server by making non-recursive queries and expecting to receive answers to those queries that are usually referrals to other DNS servers.

host -R [number]

Changes the number of UDP retries for a lookup.

host -s

Used to set the memory usage debugging flags [record], [usage] and [trace].

host -t [type]

Selects the DNS query type, where [type] can be CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query [type] is specified, host automatically selects an appropriate query type. By default, it looks for A, AAAA, and MX records, but if the -C option was given, queries will be made for SOA records, and if [name] is a dotted-decimal IPv4 address or colon-delimited IPv6 address, host will query for PTR records.

host -T

Makes host use a TCP connection when querying a DNS server.

host -w

Configures host to effectively wait forever for a reply.

host -W [wait]

Makes host wait for [wait] seconds.

host -4

Forces host to only use IPv4 query transport.

host -6

Forces host to only use IPv6 query transport.

PathPing

PathPing is a Windows utility that combines features from ping and tracert. PathPing sends packets to each router (hop) on the way to a destination over a period of time, and then computes the packets lost and the performance statistics for each hop. Like tracert, PathPing can identify problematic network hosts. The destination can be specified by DNS name or IP address.
You can download a neat little PathPing desktop gadget (for Windows Vista or 7) from TechRepublic here. You’ll have to rename the PathPing.zip file to PathPing.gadget.
Two PathPing switches are apparently no longer supported on Windows 7: -R (RSVP test) and -T (Layer Two tag).
The standard PathPing command syntax is:pathping [-g host-list] [-h max_hops] [-i address] [-n] [-p period] [-q num_queries] [-w timeout] [-4] [-6] target_name

PathPing command switches

Description

pathping -g

Loose source route along host list.

pathping -h [number]

Maximum [number] of hops to search for target.

pathping -i [address]

Use the specified source [address].

pathping -n

Do not resolve addresses to hostnames.

pathping -p [milliseconds]

Wait period [milliseconds] between pings.

pathping -q [number]

[Number] of queries per hop.

pathping -w [milliseconds]

Wait timeout in [milliseconds] for each reply.

pathping -4

Force using IPv4.

pathping -6

Force using IPv4.

Ping

The ping (Packet InterNet Groper) command is arguably the most useful networking troubleshooting utility; it is definitely the simplest and most used. Ping tests the online status of a host on an IP network and measures the total round-trip time (in milliseconds) for packets sent from the source host to a destination host and back. Ping does this by sending Internet Control Message Protocol (ICMP) packets (usually). ICMP is a protocol that works with IP to provide error checking and reporting functionality. Ping sends ICMP echo requests to a remote host. If the host is able to respond, it replies with echo reply.
When you ping a destination name, the replies will tell you the host’s IP address, the number of bytes sent, round-trip time, and the packets’ Time to Live (TTL). When you ping a destination IP address, it responds with all the above except for the host name (unless you provide the -a switch). Ping doesn’t just test connectivity – it can also verify that TCP/IP is installed correctly and that DNS name resolution is working properly (see Part 1 of this blog post).
Standard ICMP pings do not utilize port numbers or use TCP or UDP; ICMP is a Layer 3 (Network layer) protocol. TCP and UDP operate at Layer 4, the Transport layer.
The ping command can be misused in a variety of denial of service attacks, such as the Ping of Death, Smurf attack, and Ping flood.
In Windows the ping command follows this standard syntax:ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v ToS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] [-R] [-S srcaddr] [-4] [-6] target_name

Ping command switches (Windows)

Description

ping -a

Specifies that reverse name resolution is performed on the destination IP address.

ping -f

Specifies that Echo Request messages are sent with the ‘Don’t Fragment’ flag in the IP header set to 1 (available on IPv4 only).

ping -i [TTL]

Specifies the value of the TTL field in the IP header for Echo Request messages sent. The default is the default TTL value for the host. The maximum [TTL] is 255.

ping -j [hostlist]

Specifies that the Echo Request messages use the Loose Source Route option in the IP header with the set of intermediate destinations specified in [HostList] (available on IPv4 only). With loose source routing, successive intermediate destinations can be separated by one or multiple routers. The maximum number of addresses or names in the host list is 9. The host list is a series of IP addresses (in dotted decimal notation) separated by spaces.

ping -k [hostlist]

Specifies that the Echo Request messages use the Strict Source Route option in the IP header with the set of intermediate destinations specified in [HostList] (available on IPv4 only). With strict source routing, the next intermediate destination must be directly reachable (it must be a neighbor on an interface of the router). The maximum number of addresses or names in the host list is 9. The host list is a series of IP addresses (in dotted decimal notation) separated by spaces.

ping -l [size]

Specifies the length, in bytes, of the Data field in the Echo Request messages sent. The default size is 32. The maximum size is 65,527.

ping -n [count]

Specifies the number of Echo Request messages sent. The default is 4.

ping -r [count]

Specifies that the Record Route option in the IP header is used to record the path taken by the Echo Request message and corresponding Echo Reply message (available on IPv4 only). Each hop in the path uses an entry in the Record Route option. If possible, specify a [count] that is equal to or greater than the number of hops between the source and destination. The [count] must be a minimum of 1 and a maximum of 9.

ping -R

Specifies that the round-trip path is traced (IPv6 only).

ping -s [count]

Specifies that the Internet Timestamp option in the IP header is used to record the time of arrival for the Echo Request message and corresponding Echo Reply message for each hop. The [count] must be a minimum of 1 and a maximum of 4. This is required for link-local destination addresses.

Specifies the value of the Type of Service[ToS] field in the IP header for Echo Request messages sent (available on IPv4 only). The default is 0. [ToS] is specified as a decimal value from 0 through 255.

ping -w [timeout]

Specifies the amount of time, in milliseconds, to wait for the Echo Reply message that corresponds to a given Echo Request message to be received. If the Echo Reply message is not received within the time-out, the “Request timed out” error message is displayed. The default [timeout] is 4000 (4 seconds).

ping -4

Specifies that IPv4 is used to ping. This parameter is not required to identify the target host with an IPv4 address. It is only required to identify the target host by name.

ping -6

Specifies that IPv6 is used to ping. This parameter is not required to identify the target host with an IPv6 address. It is only required to identify the target host by name.

.

Ping command switches (Linux)

Description

ping -a

Audible ping.

ping -A

Adaptive ping (interpacket interval adapts to round-trip time).

ping -b

For pinging a broadcast address.

ping -B

Does not allow ping to change the source address of probes. The address is bound to the one selected when ping starts.

Sets the SO_DEBUG option on the socket being used. Essentially, this socket option is not used by Linux kernel.

ping -D

Prints the timestamp (Unix time + microseconds, as in gettimeofday) before each line.

ping -f

For every ECHO_REQUEST sent, a period (.) is printed, while for every ECHO_REPLY received a backspace is printed. This provides a rapid display of how many packets are being dropped.

ping -F

Only for ping6. Allocates and sets a 20-bit flow label on ECHO_REQUEST packets. If the value is zero, the kernel allocates a random flow label.

ping -i [interval]

Wait [interval] seconds between sending each packet. The default is to wait for one second between each packet normally, or not to wait in flood mode (-f).

ping -I [interface]

Sets the source address to the specified interface, whether numeric IP address or name of device. When pinging IPv6 link-local addresses this option is required.

ping -l [preload]

Sends [preload] number of packets and does not wait for replies. Only the super-user may select a [preload] of more than 3.

ping -L

Suppress loopback of multicast packets (only applies if the ping destination is a multicast address).

ping -m

Uses [mark] to tag the packets going out.

ping -M [hint]

Selects path MTU discovery strategy. [Hint] may be either do (prohibit fragmentation, even local one), want (do PMTU discovery, fragment locally when packet size is large), or dont (do not set DF flag).

ping -n

Specifies numeric output only. No attempt is made to look up symbolic names for IP addresses.

Specifies up to 16 pad bytes (in hex) to fill out the packet you send. For example, -p ff will cause the sent packet to be filled with all ones.

ping -q

Quiet output. Nothing is displayed except the summary lines at command startup time and when finished.

ping -Q [tos]

Sets Quality of Service-related bits in ICMP datagrams. [Tos] can be either decimal or hex number.

ping -r

Bypasses the normal routing tables and sends directly to a host on an attached interface. If the host is not on a directly attached network, an error is returned.

ping -R

Records the route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet and displays the route buffer on returned packets. Note that the IP header is only large enough for nine
such routes. Many hosts ignore or discard this option.

ping -s [packet_size]

Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.

ping -S [sndbuf]

Set the socket send buffer. If not specified, it is selected to buffer not more than one packet.

ping -t [TTL]

Sets the IP TTL to [TTL] seconds.

ping -T [timestamp] [opt]

Sets special IP timestamp options. [Timestamp] option may be either tsonly (only timestamps), tsandaddr (timestamps and addresses) or tsprespechost1…

ping -U

Prints full user-to-user latency (the old behavior).

ping -v

Verbose command output.

ping -V

Shows version and exits.

ping -w [deadline]

Specifies a deadline (or timeout), in seconds, before ping exits regardless of how many packets have been sent or received.

ping -W [timeout]

Time to wait for a response, in seconds. The option affects only timeout in absense of any responses, otherwise ping waits for two RTTs.

Route

Route enables the manipulation and viewing of a computer’s routing table. In other words, it lets you add or remove entries in the routing table.
In Windows the route command follows this syntax:route [-f] [-p] [-4 or -6][Command [Destination] [maskNetmask] [Gateway] [metricMetric]] [ifInterface]]

Route command switches (Windows)

Description

route -f

Clears the routing tables of all gateway entries. If this is used in conjunction with one of the commands, the tables are cleared prior to running the command.

route -p

When used with the ADD command, makes a route persistent across boots of the system. By default, routes are not preserved when the system is restarted.

route -4

Force using IPv4.

route -6

Force using IPv6.

route ADD

Adds a route.

route CHANGE

Modifies an existing route.

route DELETE

Deletes a route.

route PRINT

Prints a route

.
A route command example in Windows would be:route add 10.41.0.0 mask 255.255.0.0 10.27.0.1 (adds a persistent route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0 and the next hop address of 10.27.0.1).
The standard route command syntax in Linux is as follows:route [options] [add or del] [-net or -host] address [modifiers]

Associates a route with a specific device. If dev [interface] is the last option on the command line, the word dev may be omitted.

route [add or del] [default] gw [gw]

Routes packets through the specified gateway.

route [add or del] -host

Specifies that the target is a host (not a network).

route [add or del] -irtt [I]

Sets the initial round trip time (IRTT) for TCP connections over this route to [I] milliseconds (1-12000). This is typically only used on AX.25 networks. If omitted the RFC 1122 default of 300ms is used.

route [add or del] -net

Specifies that the target is a network (not a host).

route [add or del] [-host or -net] netmask [mask]

Sets the subnet [mask].

route [add or del] metric [n]

Sets the metric field in the routing table (used by routing daemons) to the value of [n].

route [add or del]mod, dyn, or reinstate

Install a dynamic or modified route. These flags are for diagnostic purposes, and are generally only set by routing daemons.

route [add or del] mss [bytes]

Sets the TCP Maximum Segment Size (MSS) for connections over this route to the number of [bytes] specified.

route [add or del] reject

Installs a blocking route, which will force a route lookup to fail. This is used to mask out networks before using the default route. This is not intended to provide firewall functionality.

route [add or del] window [W]

Set the TCP window size for connections over this route to the value of [W] bytes. This is typically only used on AX.25 networks and with drivers unable to handle back-to-back frames.

.
These examples should clarify the syntax of the route command.route add -net 127.0.0.0
Adds the normal loopback entry, using netmask 255.0.0.0 (class A net, determined from the destination address) and associated with the “lo” device (assuming this device was previously set up correctly with ifconfig).route add -net 192.56.76.0 netmask 255.255.255.0 dev eth0
Adds a route to the network 192.56.76.x via “eth0″. The Class C netmask modifier is not really necessary here because 192.* is a Class C IP address. The word “dev” can be omitted here.route add default gw 192.168.100.1 dev eth0
Adds a default route (which will be used if no other route matches). All packets using this route will be gatewayed through 192.168.100.1 for interface eth0. The word “dev” can be omitted here.

Telnet

Telnet is a network protocol that allows for connections and user sessions on remote hosts. It is called a ‘terminal emulator’ because it lets you work on a remote host as if you were seated in front of it and using its monitor, keyboard, and mouse. A computer terminal is defined as “an electronic or electromechanical hardware device that is used for entering data into, and displaying data from, a computer or a computing system.” The input and output devices described above create a terminal environment, and telnet lets you mimic that environment on another computer (also referred to as “getting a shell” on the remote host).
Any information security professional worth his salt will tell you that using telnet is not recommended as all logins, passwords and commands are transferred in clear text. An attacker may eavesdrop on a telnet session and obtain the credentials and sensitive data of other users. The Secure Shell (SSH) protocol has effectively replaced telnet; however, in closed, restricted networks where there is zero chance of an attacker performing packet sniffing, telnet can be used. You should still make efforts to phase telnet out and replace it with SSH. SSH is such an important and useful protocol that it will be covered in a forthcoming article on this website. Until then you can learn more about SSH and its uses here.
This page supposedly lists free telnet servers that you can connect to and practice on.
By running a telnet connection to the open ports on a host, you can view the banners that reveal which service is answering on those specific ports. Many email, FTP, and web servers will respond to telnet connection requests with the name and version of their email, FTP, and web software (such as Exchange, IIS, etc). If you want to grab the banner of a web server, type:telnet 80, followed by: HEAD/HTTP/1.0.Telnet is not installed by default on Windows Vista, 7, or 2008. To learn how to get telnet running on these operating systems, use the instructions located on TechNet.
The standard telnet command syntax in Windows is:telnet [-a][-eescape_char][-flog_file][-luser_name][-tterm]host [port]
(where host specifies the NetBIOS name, fully qualified domain name, or IP address of the host with which you want to create a telnet connection, and port specifies the TCP port on which you want to create a telnet connection. The default telnet port is 23).

Telnet command switches (Windows)

Description

telnet [servername] [portnumber]

Starts the telnet client and attempts to initiate a session with [servername] on [portnumber]. If no [portnumber] is provided, the default port 23 is used.

telnet -a

Instructs telnet.exe to log on to the host using the credentials of the user who is currently logged on to the client.

telnet -e [escape_char]

Specifies an escape character, which displays the telnet command prompt. The default escape character is Ctrl+].

telnet -f [log_file]

Creates a client-side log file and turns on client-side logging for the current session. The [log_file] parameter must consist of a path and file name.

telnet -l [user_name]

Instructs telnet.exe to log on to the host using the user account that is specified in [user_name]. The user account specified in [user_name] must have Telnet logon rights on the host.

telnet -t [term]

Specifies the terminal type. The default terminal type is ANSI. Other valid terminal types include VT52, VT100, and VTNT.

close or c

Closes an existing Telnet connection.

display

Use the display command to view the current settings for the telnet client. The display command lists the current operating parameters. If you are in a telnet session (connected to a telnet server), to modify the parameters, press CTRL+]. This escapes from the telnet session. (To return to the Telnet session, press ENTER.)

Indicates that NTLM authentication is disabled, and that user IDs and passwords will be sent in plaintext.

display WILL TERM TYPE

display WONT TERM TYPE

display LOCALECHO off

display LOCALECHO off

enter

Go to the connected session (if it exists).

open or o

Establish a telnet connection with a host computer or remote server. For example, o telnet.org 44 will attempt to connect your computer to telnet.org using port 44.

quit or q

Exit telnet.

send

Sends commands to the telnet server.

send ao

Abort output command.

send ayt

“Are you there?” command.

send brk

Sends a break signal.

send esc

Sends the current escape character.

send ip

Interrupts the current process.

send synch

Performs the telnet synch operation.

set

Set the terminal type for the connection, turn on local echo, set authentication to NTLM, set the escape character, and set up logging.

set bsasdel

Backspace will be sent as delete.

set crlf

Sets new-line mode; causes the RETURN key to send the combination of carriage return and line feed: 0x0D, 0x0A. When turned off, it sends only the carriage return character, 0x0D.

set delasbs

Delete will be sent as backspace.

set escape [character]

Specifies the [character] that will switch from telnet session mode to the telnet command mode. While in telnet command mode, press ENTER to return to telnet session mode.

set localecho

Turns on local echo. All characters typed will be displayed on the local console. Remote Telnet servers usually send each character typed back, so setting this option could result in duplicate characters displayed for each one typed.

set logfile [name]

Specifies the [name] of the file to which the telnet log is written for this session. If you do not specify the path of the file, it is created in your current directory. Specifying a log file also turns on logging. The log file must be on your local computer.

set logging

Turns on logging for this session. If no log file is set, an error message is displayed.

set mode {console | stream}

Changes the mode of operation from console mode to stream mode. Setting the mode to stream turns off the ANSI or other escape commands that attempt to control cursor placement or clearing the screen. Setting the mode to console causes Telnet server to include ANSI or other escape commands to control cursor positioning within a fixed window of x rows and y columns. Stream mode is useful when you do not want the Telnet client to emulate a terminal. The output is sent as if there is no terminal window with x rows and y columns. Some applications that use telnet for file transfer fail to work correctly when console mode is enabled.

Telnet command switches (Linux)

Description

Uses bind to bind the local socket to an aliased address (see ifconfig –alias) or to the address of an interface different from the one selected by connect.

telnet -c

Disables the reading of the user’s .telnetrc file. The .telnetrc file contains the setup information for a telnet session. It is a hidden file in your home directory and must be readable by the user logging in.

telnet -d

Enables debugging at the socket level.

telnet -e [escape_char]

Sets the initial telnet escape character to [escapechar]. If [escapechar] is omitted, then there will be no escape character.

telnet -E

Stops any character from being recognized as an escape character.

telnet -f

If Kerberos V5 authentication is being used, allows the local credentials to be forwarded to the remote host.

telnet -F

If Kerberos V5 authentication is being used, allows the local credentials to be forwarded to the remote host, including any credentials that have already been forwarded into the local environment.

telnet -k [realm]

If Kerberos authentication is being used, requests that telnet obtain tickets for the remote host in realm [realm] instead of the remote host’s realm.

telnet -K

Prevents automatic login to the remote host.

telnet -l [user]

When connecting to the remote host, if the remote host understands the ENVIRON option, then [user] will be sent as the value for the variable USER. This option implies the -a option and may also be used with the open command.

telnet -L

Specifies an 8-bit data path on output. This causes the BINARY option to be negotiated on output.

telnet -n [trace_file]

Opens [trace_file] for recording the trace information.

telnet -r

Specifies a user interface similar to rlogin. In this mode, the escape character is set to the tilde (~) character, unless modified by the -e option.

Sets operating parameters as described below..
debug: enables debugging.echo: character to toggle local echoing on/off.escape: character to escape back to telnet command mode.netdata: enables printing of hexadecimal network data (debugging).options: enables viewing of options processing (debugging).prettydump: enables output of “netdata” to user readable format (debugging).rlogin: rlogin escape character.termdata: enables (debugging) toggle printing of hexadecimal terminal data.tracefile: the file to write trace information to.?: display help information..
The following need ‘localchars’ to be toggled ‘true’:.eof: character to cause an EOF.flushoutput: character to cause an Abort Output.interrupt: character to cause an Interrupt Process.quit: character to cause an Abort process..
The following are for local editing in linemode:.
autoflush: enables flushing of output when sending interrupt characters.
autosynch: enables automatic sending of interrupt characters in urgent mode.crlf: enables sending carriage returns as telnet crmod: enables mapping of received carriage returns.erase: character to use to erase a character.forw1: alternate end of line character.forw2: alternate end of line character.inbinary: enables receiving of binary data.kill: character to use to erase a line.lnext: character to use for literal next.localchars: enables local recognition of certain control characters.outbinary: enables sending of binary data.reprint: character to use for line reprint.start: character to use for XON.stop: character to use for XOFF.skiprc: enable don’t read ~/.telnetrc file.susp: character to cause a Suspend Process.worderase: character to use to erase a word.

telnet> slc

Changes the state of special charaters as follows:.
check: Verify remote special character definitions.export: Use local special character definitions.import: Use remote special character definitions.?: Print help information.

Traceroute and Tracert

Traceroute (tracert in Windows) is a network diagnostic tool for displaying the route (path) of packets and measuring their transit delays across an IP network. Traceroute works by increasing the TTL value of each successive set of packets sent. The first set of packets has a hop limit value of 1, so they are not forwarded by the first router. The next set has a hop limit value of 2, so that the second router will send the error reply. This continues until the destination host receives the packets and returns an ICMP Echo Reply message. In other words, the TTL value on each packet increments by one after each hop is reached. Then the packet returns, ensuring that the response comes back explicitly from that hop (its name and IP address are also displayed). Traceroute uses the returned ICMP messages to produce a list of routers that the packets have traversed. The timestamp values returned for each router along the path are the delay (latency) values measured in milliseconds for each packet.
The traceroute/tracert tool will time out (indicated in the command output by an asterisk) when it encounters a firewall or a packet-filtering router.Traceroute in Linux and Unix uses UDP by default, while tracert in Windows uses ICMP.
The standard tracert command syntax is:tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] [-R] [-S srcaddr] [-4] [-6] target_name

Tracert command switches

Description

tracert [destination]

Traces the path to the host or IP address named [destination].

tracert -d

Prevents tracert from attempting to resolve the IP addresses of intermediate routers to their names (which can speed up the display of tracert results).

tracert -h [MaxHops]

Specifies the maximum number of hops in the path to search for the target (destination). The default is 30 hops.

tracert -j [HostList]

Specifies that Echo Request messages use the Loose Source Route option in the IP header with the set of intermediate destinations specified in [HostList]. With loose source routing, successive intermediate destinations can be separated by one or multiple routers. The maximum number of addresses or names in the host list is 9. The [HostList] is a series of IP addresses (in dotted decimal notation) separated by spaces.

tracert -w [timeout]

Specifies the amount of time in milliseconds to wait for the ICMP Time Exceeded or Echo Reply message corresponding to a given Echo Request message to be received. If not received within the time-out, an asterisk (*) is displayed. The default time-out is 4000 (4 seconds).

tracert -R

Trace round-trip path (IPv6-only).

tracert -S [srcaddr]

Source address to use (IPv6-only).

tracert -4

Force using IPv4.

tracert -6

Force using IPv6.

.

Traceroute command switches

Description

Prints the number of backward hops when it seems different than the forward direction. This number is guessed in the assumption that remote hops send reply packets with the initial TTL set to either 64, 128, or 255 (which seems a common practice). It is printed as a negative value in a form of ‘-NUM’ .

traceroute -d

Enables socket level debugging (when the Linux kernel supports it).

traceroute -e

Shows the ICMP extensions (RFC 4884). The general form is CLASS/TYPE, followed by a hexadecimal dump.

Tells traceroute to add an IP source routing option to the outgoing packet that tells the network to route the packet through the specified [gw_addr] (most routers disable source routing for security reasons). In general, several gateways are allowed (comma separated).

traceroute –help

Prints the help message.

traceroute -i [interface]

Specifies the [interface] through which traceroute should send packets. By default, the interface is selected according to the routing table.

Specifies the maximum number of hops (i.e., the max TTL value). The default is 30.

traceroute -M [method]

Uses the specified [method] for traceroute operations. Default traditional UDP method has the name default; ICMP (-I) and TCP (-T) have names icmp and tcp, respectively. Method-specific options can be passed by -O.

Specifies the number of probe packets sent out simultaneously. Sending several probes concurrently can speed up traceroute. The default value is 16. Note that if you use ICMP probes, some routers and hosts can use ICMP rate throttling.

traceroute -O [option]

Specifies some method-specific [option]. Several options are separated by commas (or they use several -O on the command line).

traceroute -p [port]

Sets the destination base UDP port number to [port]; default is 33434. For ICMP tracing, specifies the initial ICMP sequence value (incremented by each probe). For TCP, specifies just the (constant) destination port to connect to.

traceroute -P [proto]

Uses the raw packet of the specified protocol for tracerouting. The default protocol is 253 (RFC 3692).

traceroute -q [num_queries]

Sets the number of probe packets per hop. The default is 3.

traceroute -r

Bypasses the normal routing tables and sends directly to a host on an attached network. If the host is not on a directly attached network, an error is returned. This option can be used to ping a local host through an interface that has no route through it.

Sets the time (in seconds) to wait for a response to a probe (the default is 5 seconds).

traceroute -z [sendwait]

Sets the minimal time interval between probes (default is 0). If the value is more than 10, then it specifies a number in milliseconds, otherwise it is a number of seconds. Useful when some routers use rate-limiting for ICMP messages.

traceroute -4 or -6

Explicitly forced IPv4 or IPv6. By default, the program will try to resolve the name given, and choose the appropriate protocol automatically. If resolving a host name returns both IPv4 and IPv6 addresses, traceroute will use IPv4.

Whois

whois is a domain name query tool. Some of the information it provides on domain names includes: registered address, technical and DNS contacts, contact email addresses, contact phone number, and the expiration date of the domain name registration.Whois commands are commonly executed from network query-oriented websites, as described here. However, you can run whois from a command line interface as well. Whois is easily available in Linux and Unix (may be available as jwhois), but must be installed manually on Windows. Note that the version of whois published by Marco d’Itri of linux.it uses very different options from the standard whois/jwhois.

Whois command switches (Windows)

Description

whois [domainname] [whois.server]

Performs a whois query on [domainname] using the whois server specified.

.

Whois command switches (Linux)

Description

whois -a or –raw

Disables reformatting of the query.

whois -c [file] or –config=[file]

Uses [file] as a configuration file instead of jwhois.conf.

whois -d or –disable-cache

Disables reading from (and writing to) the cache.

whois -f or –force-lookup

Forces a query to be made to a host even if a current object is available from the cache.

whois -h [host] or –host=[host]

Overrides any hosts in the configuration file and queries [host] directly.

whois –help

Prints the help message.

whois -i or –display-redirections

Displays every step in a redirection (the default is to display only the last answer).

whois -n or -no-redirect

Disables redirection from one server to another.

whois -p [port] or –port=[port] [host]

Specifies a port number to use when querying a host. For example, whois –port=9103 10.20.30.31 forces a test on this host’s port 9103

whois -r or –rwhois

Forces the query to use the rwhois protocoll instead of HTTP or whois.

whois –rwhois-display=[display]

Asks receiving rwhois servers to display the results in the specified [display] instead of the default dump display.